 Combofix V. Vista, Trouble running ComboFix on Vista |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.  |
 May 5 2008, 02:34 PM
Post
#1
|
|
|
Member  Group: Members Posts: 25 Joined: 5-May 08 Member No.: 207,195  |
My name is Dave and I am new to this forum. My HP Pavilion notebook (Vista OS) has become infected with an aggressive malware that will actually open IE on its own and display pop-ups. McAfee and PCSafe did not find it, but product support @ PCSafe recommended running a program called “ComboFix”. I downloaded a tutorial on this program from this site. The tutorial suggested booting in “Vista Recovery Environment”. I was not able to do this as my lap top did not come with a Windows disk, but I otherwise followed the instructions. The program (ComboFix) appeared to be running as the tutorial said it would. It appeared to be about finished, but it rebooted my lap top. (This occurrence was not included in the tutorial) My desktop has not been restored and it’s been over an hour now. There is a blank, blue, DOS prompt screen which reads at the top: C:\Windows\system32\CF20902.exe Anyone know what I should do next? Thanks you, Dave |
 |
 
|
 May 5 2008, 03:22 PM
Post
#2
|
|
|
a forum member Group: Members Posts: 1,616 Joined: 27-August 07 Member No.: 153,171 |
welcom to this site
 sorry to hear about your problems with combofix; however , as this program states within the instructions , one presumes a trained malaware expert did not instruct you to run it ; and nor did you read fully the combofix disclaimer? running the program unsupervised can lead to your computer rendered forever unbootable , it is that powerful a tool , which is why it MUST be run only under strictly supervised conditions we may need to see if a member of the HJT Team can get you 'recovered'  do we note you do NOT have your computer cd and licence key available ?? can you clarify QUOTE It appeared to be about finished, but it rebooted my lap top QUOTE My desktop has not been restored and it’s been over an hour now. did you run combofix on BOTH machines ?? This post has been edited by ruby1: May 5 2008, 03:27 PM |
|
|
|
|
May 5 2008, 03:36 PM
Post
#3
|
|
|
Member Group: Members Posts: 25 Joined: 5-May 08 Member No.: 207,195 |
No, my computer did not come with a windows CD.
No, I did not run the program on both machines - just the lap top. My gut is that I have done minimal/repairable damage. I could probably just close the program, but I'm afraid to do anything else without seeking help. Thanks, Dave |
|
|
|
|
May 5 2008, 04:00 PM
Post
#4
|
|
|
Member Group: Members Posts: 25 Joined: 5-May 08 Member No.: 207,195 |
What's an "HJT Team", and how do I contact them?
Thanks again, Dave |
|
|
|
 May 5 2008, 04:17 PM
Post
#5
|
|
|
a forum member Group: Members Posts: 1,616 Joined: 27-August 07 Member No.: 153,171 |
QUOTE(ATA Dave @ May 5 2008, 10:00 PM)  What's an "HJT Team", and how do I contact them? Thanks again, Dave they are a specialist part OF this forum who undergo extensive intensive training before they can help with real messed up computers and use very powerful tools where appropriate to clean ; I have already notified the Team to see how you can hopefully be helped to recover a Mod or other suitably 'qualified' Staff member on here will hopefully reply to this thread in due course
|
|
|
|
|
May 5 2008, 04:18 PM
Post
#6
|
|
|
Member Group: Members Posts: 25 Joined: 5-May 08 Member No.: 207,195 |
Thnks a million!
|
|
|
|
|
May 5 2008, 04:32 PM
Post
#7
|
|
 Visiting Alien Group: Members Posts: 3,942 Joined: 20-May 07 From: millenium falcon Member No.: 131,963 |
http://www.bleepingcomputer.com/forums/topic114351.html
did you disable McAfee as specified in this guide? -------------------- |
|
|
|
|
May 5 2008, 06:25 PM
Post
#8
|
|
|
Member Group: Members Posts: 25 Joined: 5-May 08 Member No.: 207,195 |
Yes, I did disable McAfee. I was able to close comboFix and find the report. The program did not appear to work exactly as the tutorial said it would, but it looks as though it did its job and I have detected no damage.
The tutorial mentions that I am supposed to post the results on this forum. I will do that here unless there is another place on this site that would be more appropriate? Thanks again, Dave ComboFix 08-05-01.3 - cadave 2008-05-05 13:51:39.1 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1214 [GMT -4:00] Running from: C:\Users\cadave\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Windows\Downloaded Program Files\setup.inf . ((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-05 ))))))))))))))))))))))))))))))) . 2008-05-05 12:32 . 2006-11-02 05:44 320,000 --a------ C:\Windows\System32\CF5724.exe 2008-05-05 12:26 . 2006-11-02 05:44 320,000 --a------ C:\Windows\System32\CF4408.exe 2008-04-30 18:49 . 2008-04-30 22:41 524,288 --ahs---- C:\Users\cadave\ntuser.dat{abf767e5-16ff-11dd-8e38-001a6b813aca}.TMContainer00000000000000000002.regtrans-ms 2008-04-30 18:49 . 2008-04-30 22:41 524,288 --ahs---- C:\Users\cadave\ntuser.dat{abf767e5-16ff-11dd-8e38-001a6b813aca}.TMContainer00000000000000000001.regtrans-ms 2008-04-30 18:49 . 2008-04-30 22:41 65,536 --ahs---- C:\Users\cadave\ntuser.dat{abf767e5-16ff-11dd-8e38-001a6b813aca}.TM.blf 2008-04-18 17:47 . 2008-04-18 17:47 <DIR> d-------- C:\Windows\System32\URTTEMP 2008-04-09 08:57 . 2008-02-14 19:19 944,184 --a------ C:\Windows\System32\winload.exe 2008-04-09 08:57 . 2008-02-19 01:10 620,088 --a------ C:\Windows\System32\ci.dll 2008-04-09 08:57 . 2008-02-29 02:39 371,712 --a------ C:\Windows\System32\srcore.dll 2008-04-09 08:57 . 2008-02-29 02:38 313,856 --a------ C:\Windows\System32\rstrui.exe 2008-04-09 08:57 . 2008-02-29 02:51 19,000 --a------ C:\Windows\System32\kd1394.dll 2008-04-09 08:56 . 2008-02-29 00:16 2,027,008 --a------ C:\Windows\System32\win32k.sys 2008-04-09 08:56 . 2008-02-21 00:43 296,448 --a------ C:\Windows\System32\gdi32.dll 2008-04-09 08:56 . 2008-02-29 02:39 40,960 --a------ C:\Windows\System32\srclient.dll 2008-04-09 08:56 . 2008-02-29 02:38 16,384 --a------ C:\Windows\System32\srdelayed.exe 2008-04-09 08:56 . 2008-02-29 02:34 7,168 --a------ C:\Windows\System32\f3ahvoas.dll 2008-04-09 08:56 . 2008-02-29 02:35 6,656 --a------ C:\Windows\System32\kbd106n.dll 2008-04-08 20:14 . 2008-04-18 21:42 <DIR> d-------- C:\Program Files\Route Browser 2008-04-08 20:14 . 2008-04-20 10:19 252 --a------ C:\Windows\ODBC.INI 2008-04-08 20:03 . 2008-04-20 10:21 <DIR> d-------- C:\Program Files\Logbook Pro . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-05 21:21 --------- d-----w C:\Users\cadave\AppData\Roaming\skypePM 2008-05-05 13:00 --------- d-----w C:\Program Files\AdwareFilter 2008-05-03 02:21 --------- d-----w C:\Users\cadave\AppData\Roaming\Skype 2008-04-30 22:48 --------- d-----w C:\Users\cadave\AppData\Roaming\MSN6 2008-04-30 22:48 --------- d-----w C:\ProgramData\Microsoft Help 2008-04-30 22:13 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-04-20 14:38 13,072 ----a-w C:\Users\cadave\AppData\Roaming\nvModes.dat 2008-04-20 14:14 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-20 13:01 --------- d-----w C:\Program Files\Microsoft.NET 2008-04-17 12:31 --------- d-----w C:\Program Files\SkyGuide PocketFly Timetable 2008-04-09 13:05 --------- d-----w C:\Program Files\Windows Mail 2008-03-26 14:01 --------- d-----w C:\Program Files\Java 2008-03-21 23:07 --------- d-----w C:\Program Files\Google 2008-03-21 20:23 32 ----a-w C:\Users\All Users\ezsid.dat 2008-03-21 20:23 32 ----a-w C:\ProgramData\ezsid.dat 2008-03-21 20:19 --------- d-----w C:\ProgramData\Skype 2008-03-21 20:19 --------- d-----w C:\Program Files\Skype 2008-03-21 20:19 --------- d-----w C:\Program Files\Common Files\Skype 2008-03-21 13:22 --------- d-----w C:\Program Files\Synaptics 2008-03-21 09:21 --------- d#----- C:\Program Files\AOL 9.0 2008-03-21 09:21 --------- d-----w C:\ProgramData\Spybot - Search & Destroy 2008-03-21 09:21 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-03-21 09:21 --------- d-----w C:\Program Files\MP4 Player 2008-03-21 09:21 --------- d-----w C:\Program Files\K-Lite Codec Pack 2008-03-21 09:21 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-03-19 13:56 --------- d-----w C:\Program Files\McAfee 2008-03-03 16:23 691,545 ----a-w C:\Windows\unins000.exe 2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll 2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll 2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll 2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe 2008-02-14 12:29 194,560 ----a-w C:\Windows\System32\WebClnt.dll 2008-02-14 12:24 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe 2008-02-14 12:24 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe 2008-02-14 12:23 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll 2008-02-14 12:23 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll 2008-02-14 12:23 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll 2008-02-14 12:23 24,064 ----a-w C:\Windows\System32\netcfg.exe 2008-02-14 12:23 22,016 ----a-w C:\Windows\System32\netiougc.exe 2008-02-14 12:23 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll 2008-02-14 12:23 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll 2008-02-14 12:23 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll 2008-02-14 12:23 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll 2008-02-14 12:23 1,686,528 ----a-w C:\Windows\System32\gameux.dll 2007-09-01 14:46 174 --sha-w C:\Program Files\desktop.ini . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-11 22:16 1232896] "WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 08:34 2159104 C:\Windows\System32\oobefldr.dll] "HPAdvisor"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-03-20 18:23 1773568] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2005-06-14 10:05 6856704] "MP4 Player"="C:\Program Files\MP4 Player\mp4Player.exe" [2007-09-19 09:00 639488] "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-16 18:46 1006264] "SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-09 00:43 729088] "RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 15:38 4390912 C:\Windows\RtHDVCpl.exe] "HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840] "QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-03-28 20:45 176128] "QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 13:58 159744] "HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-06-05 09:12 71176] "hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 16:18 472776] "WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 19:12 317128] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "CognizanceTS"="c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll" [2003-12-22 15:12 17920] "HostManager"="C:\Program Files\Common Files\AOL\1187319687\ee\AOLSoftware.exe" [2006-09-25 20:52 50736] "Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" [ ] "AT&T Communication Manager"="C:\Program Files\AT&T\Communication Manager\ATTCM.exe" [2007-10-18 12:08 33280] "NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-01-13 09:40 90191] "NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-01-13 09:40 7766016] "NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-01-13 09:40 81920] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 19:29 102400] "combofix"="C:\Windows\system32\CF20902.exe" [2006-11-02 05:44 320000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "Launcher"="%WINDIR%\SMINST\launcher.exe" [ ] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ AdwareFilter Background Protection.lnk - C:\Program Files\AdwareFilter\adwarefilter.exe [2008-04-03 15:19:36 4564280] Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-20 12:27:40 719664] HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=APSHook.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{250BB2DB-608B-4C35-BBAF-B35A44314358}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{3A5BBDC5-80B5-4461-B61F-C303D435C714}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{14964889-220B-4E71-AF6B-8A0D0F40D4DB}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play "{A1CBAB0B-30A1-4A5D-9857-60EA26E5BD65}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program "{9ED93697-65E7-4EE2-8CE7-0B90D63529D4}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl "{A0684517-0A59-42E2-9B37-0FCA0D8B8D3F}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl "{44D2EFCF-190B-42A7-ACC7-A86181E6B04E}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl "{599EF52C-B1B5-4C5C-8CF6-CDE137995A36}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl "{FAC4C87F-83DA-40E8-A8CF-FCFED1CD6C22}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl "{14CD316C-8C8E-4C85-9BF7-B6549DAD7096}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl "{74572D20-8C45-47F1-AA38-171A2A434DB3}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook "TCP Query User{F6EEBE13-2CD9-4539-95BA-C8E941865389}C:\\program files\\skype\\phone\\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath "UDP Query User{62C5F42D-C687-454F-AF88-03BE2B8601A5}C:\\program files\\skype\\phone\\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath "{7C8A8C78-FDF5-40FF-86FB-DD7087AB4E3F}"= UDP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer "{5C901176-ACE1-4C15-80F8-0D7EF04BEAFF}"= TCP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer "{B89FDA39-AD15-4802-942E-2681800FB98A}"= UDP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service "{A2AA0C1D-7424-4D11-B300-6EDE39497F84}"= TCP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service "{3AE8BF1C-7117-46BE-B27B-FBA10271ED6C}"= UDP:C:\Program Files\AOL 9.0\waol.exe:AOL "{EAC55FEE-419C-4E30-A396-58872A5A9504}"= TCP:C:\Program Files\AOL 9.0\waol.exe:AOL "{596138E1-480C-4B50-A4AC-A4D54F005C92}"= UDP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed "{A5C796F9-8056-49DB-B576-8D5FA92A989C}"= TCP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed "{75A89F5C-0B2B-468C-A246-9B684FB240E2}"= UDP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader "{18B83E7B-DD56-472F-B294-047702F30FD9}"= TCP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader "{080194D3-4667-45BB-9934-E3027D943EB4}"= UDP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information "{C94C19E8-90DA-4A2B-A143-835BA26F1E6B}"= TCP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information "{38581D0D-6C08-415E-8719-AA4D3127D73C}"= Profile=Private|Profile=Public|C:\Program Files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent "{188E7332-5640-4EB2-A54B-0FBF093F18F0}"= UDP:C:\Program Files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.0 "{478333B5-14CA-4720-B57B-F4700B7CA2F4}"= TCP:C:\Program Files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.0 "{4659CB31-9D28-4DCF-B07E-80D7BB660D09}"= UDP:C:\Program Files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.0 "{7879B34D-8EDB-4696-B23B-2780784FB9E1}"= TCP:C:\Program Files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.0 "{8F67C23F-6DF7-4AE4-BD90-B76849ED2DCD}"= UDP:C:\Program Files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.0 "{E5248C86-ECA4-4803-A3C7-C01966FD828E}"= TCP:C:\Program Files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.0 "{B9603CF5-4795-48B2-A713-67256FAE97E3}"= Disabled:UDP:C:\Users\cadave\AppData\Local\Temp\7zS6A42.tmp\setup\HPZnui01.exe:hpznui01.exe "{564C3D4A-BFF9-4559-9E1C-36CAD2AED937}"= Disabled:TCP:C:\Users\cadave\AppData\Local\Temp\7zS6A42.tmp\setup\HPZnui01.exe:hpznui01.exe "TCP Query User{D0A14180-D8C6-4AC3-8745-800C3FB3A6FA}C:\\program files\\skype\\phone\\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath "UDP Query User{CEEF74A9-8371-4455-AD79-A9294764438A}C:\\program files\\skype\\phone\\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath "{8D073CB7-754A-4231-B9DF-79A8A2C86B1B}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{CD9ABAEB-6DD0-4ECB-B3D6-CF01F71FE7AB}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{72C3B187-6BD0-4462-9E94-4F62FD109FBC}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server "{02F90B8B-00A2-4E35-A95C-5BB6639CDAA0}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server "TCP Query User{C950D1EC-66F8-4BA5-9443-CA61080FE149}C:\\program files\\hp\\hp software update\\hpwucli.exe"= UDP:C:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client "UDP Query User{D6AAE733-D3CC-4DE6-86B5-D153B0FA0083}C:\\program files\\hp\\hp software update\\hpwucli.exe"= TCP:C:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic| [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List] "C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink R2 ASBroker;Logon Session Broker;C:\Windows\System32\svchost.exe [2006-11-02 05:45] R2 ASChannel;Local Communication Channel;C:\Windows\System32\svchost.exe [2006-11-02 05:45] R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 18:50] R2 HPSLPSVC;HP Network Devices Support;C:\Windows\system32\svchost.exe [2006-11-02 05:45] R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 05:45] R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29] R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 05:45] R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [] R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2007-02-15 12:50] R3 swmsflt;swmsflt;C:\Windows\system32\drivers\swmsflt.sys [2007-10-18 12:08] S3 ATTRcAppSvc;AT&T RcAppSvc;"C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe" /n "ATTRcAppSvc" [] S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2007-10-12 23:50] S3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2007-01-02 06:45] S3 btwavdt;Bluetooth AVDT Service;C:\Windows\system32\drivers\btwavdt.sys [2007-01-02 06:45] S3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2007-01-02 06:45] S3 CAATT;AT&T Con App Svc;"C:\Program Files\AT&T\Communication Manager\ConAppsSvc.exe" /n "CAATT" [] S3 n558;N558 Bluetooth USB Filter Driver;C:\Windows\system32\Drivers\n558.sys [2007-07-20 06:20] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs REG_MULTI_SZ BthServ Cognizance REG_MULTI_SZ ASBroker ASChannel GPSvcGroup REG_MULTI_SZ GPSvc WindowsMobile REG_MULTI_SZ wcescomm rapimgr LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76cdd403-c9ba-11dc-b4cf-001a6b813aca}] \shell\AutoRun\command - F:\setupSNK.exe . Contents of the 'Scheduled Tasks' folder "2007-08-17 03:38:36 C:\Windows\Tasks\McDefragTask.job" pushd "C:\327882R2FWJFW\" ============================================= ALLUSERSPROFILE=C:\ProgramData APPDATA=C:\Users\cadave\AppData\Roaming cfldr=327882R2FWJFW CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=DAVE-PC ComSpec=C:\Windows\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Users\cadave kmd=CF20902.exe LOCALAPPDATA=C:\Users\cadave\AppData\Local LOGONSERVER=\\DAVE-PC NUMBER_OF_PROCESSORS=2 OnlineServices=Online Services OS=Windows_NT Path=C:\327882R2FWJFW;C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;c:\Program Files\Bioscrypt\VeriSoft\bin;c:\Program Files\Microsoft SQL Server\90\Tools\binn\ PATHEXT=.cfexe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC PCBRAND=Pavilion PLATFORM=MCD PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 72 Stepping 2, AuthenticAMD PROCESSOR_LEVEL=15 PROCESSOR_REVISION=4802 ProgramData=C:\ProgramData ProgramFiles=C:\Program Files PROMPT=$ PUBLIC=C:\Users\Public RoxioCentral=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\ sfxname=C:\Users\cadave\Desktop\ComboFix.exe system=C:\Windows\system32 SystemDrive=C: SystemRoot=C:\Windows TEMP=C:\Users\cadave\AppData\Local\Temp TMP=C:\Users\cadave\AppData\Local\Temp USERDOMAIN=Dave-PC USERNAME=cadave USERPART=E: USERPROFILE=C:\Users\cadave windir=C:\Windows ============================================= if not defined sfxname goto END Nircmd win close ititle "ComboFix" If [] == [] Set "SfxCmd=" if /I "C:\327882R2FWJFW" NEQ "C:\327882R2FWJFW" goto Abort if exist "C:\Users\cadave\AppData\Local\Temp\327882R2FWJFW327882R2FWJFW.log" del "C:\Users\cadave\AppData\Local\Temp\327882R2FWJFW327882R2FWJFW.log" SteelWerX Extended Configuration Access Control Lists Written by Bobbi Flekman 2006 © Ownerchange for "C:\Windows\system32\cmd.exe" to Administrators group was successful copy /y "C:\Windows\system32\cmd.exe" "C:\Windows\system32\CF20902.exe" 1 file(s) copied. if not exist "C:\Windows\system32\CF20902.exe" catchme -l nul -c "C:\Windows\system32\cmd.exe" "C:\Windows\system32\CF20902.exe" For /F "tokens=*" %g in ("C:\Users\cadave\Desktop\ComboFix.exe") do @( set "FileName=%~ng" set "FilePath=%~dpg" ) Set FileName 2>nul | GREP -Gisqx "FileName=[-[:alnum:]@.]*" || ( nircmd infobox "You cannot rename ComboFix as ComboFix~n~nPlease use another name, preferbaly made up of alphanumeric characters" "" goto END ) DIR /AD/B C:\* | FindStr.exe -IVX ComboFix 1>dirname00 FindStr.exe -LIXC:"ComboFix" dirname00 1>nul && call :NameChk If exist dirname0? del /Q dirname0? If exist "\ComboFix" DIR /AD "\ComboFix" 1>nul && ( rd /s/q "\ComboFix" If exist "\ComboFix" ( PV -kf findstr.exe *.cfexe rd /s/q "\ComboFix" ) If exist "\ComboFix" ( handle "C:\ComboFix" | SED -r "/pid:/!d; s/.*: (.*): .*/\1/" 1>temp00 for /F "tokens=1,2" %g in (temp00) do @echo.y | Handle -p %g -c %h del /q temp00 rd /s/q "\ComboFix" ) ) If exist "\ComboFix" rd /s/q "\ComboFix" If exist "\ComboFix" goto :eof VER | Findstr.exe -ic:"[Version 6.0" && (Call :Vista ) || Microsoft Windows [Version 6.0.6000] type nul 1>Vista.mac swxcacls "C:\Windows\system32\cmd.exe" /g SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:f /ga:x /gs:x /gp:x /gu:x /q swxcacls "C:\Windows\system32\cmd.exe" /o SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 /q swreg query "hkcu\control panel\international" /v localename | SED "/.*\t/!d;s///" 1>MUI00 swreg query "hku\.default\control panel\international" /v localename | SED "/.*\t/!d;s///" 1>>MUI00 SED -r "$!N; /^(.*)\n\1$/!P; D" MUI00 1>MUI01 For /F "tokens=*" %g in (MUI01) do @if exist "C:\Windows\system32\%~g\cmd.exe.mui" ( swxcacls "C:\Windows\system32\%~g\cmd.exe.mui" /oa /q swxcacls "C:\Windows\system32\%~g\cmd.exe.mui" /p /ga:f /gs:f /gp:x /gu:x /q Copy /y "C:\Windows\system32\%~g\cmd.exe.mui" "C:\Windows\system32\en-us\CF20902.exe.mui" swxcacls "C:\Windows\system32\%~g\cmd.exe.mui" /g SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:f /ga:x /gs:x /gp:x /gu:x /q swxcacls "C:\Windows\system32\%~g\cmd.exe.mui" /o SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 /q ) SteelWerX Extended Configuration Access Control Lists Written by Bobbi Flekman 2006 © Ownerchange for "C:\Windows\system32\en-US\cmd.exe.mui" to Administrators group was successful 1 file(s) copied. GREP -sq . MUI01 && ( del /q MUI0? 2>nul goto :eof ) CD .. Set "comspec=C:\Windows\system32\CF20902.exe" ( echo.md "\ComboFix" echo.Move /y "\327882R2FWJFW\*" "\ComboFix" echo.RD /S/Q "\327882R2FWJFW" echo.Start "." /d"C:\ComboFix" "C:\Windows\system32\CF20902.exe" /k c.bat echo.pv -kf cmd.exe ) 1>Start_.cmd NirCmd exec hide "C:\Windows\system32\CF20902.exe" /f:off /d /c call Start_.cmd NirCmd execmd del "\327882R2FWJFW\prep.cmd" EXIT |
|
|
|
|
May 5 2008, 06:37 PM
Post
#9
|
|
|
Visiting Alien Group: Members Posts: 3,942 Joined: 20-May 07 From: millenium falcon Member No.: 131,963 |
I have been told that vista is easy to clean up
why don't you run a scan http://www.bleepingcomputer.com/forums/ind...st&p=817091 -------------------- |
|
|
|
|
May 5 2008, 06:53 PM
Post
#10
|
|
|
Member Group: Members Posts: 25 Joined: 5-May 08 Member No.: 207,195 |
Well - that's what I did - I thought - perhaps - maybe...........
I ran ComboFix and posted the results above because that's what the tutorial said to do. I'm not sure this is where I'm supposed to post the results though. I can't interpret the results, so I don’t know if the program found/repaired/removed/fixed anything. Thanks, Dave |
|
|
|
|
May 5 2008, 07:08 PM
Post
#11
|
|
|
Visiting Alien Group: Members Posts: 3,942 Joined: 20-May 07 From: millenium falcon Member No.: 131,963 |
the people trained to interpret and supervise the use of combofix are the experts in the hijackthis forum
let's ignore your combofix log and run that other scan with MBAM -------------------- |
|
|
|
|
May 5 2008, 07:14 PM
Post
#12
|
|
|
a forum member Group: Members Posts: 1,616 Joined: 27-August 07 Member No.: 153,171 |
you should not attempt to interpet the results from the scan which is one reason why running the fix and posting the log is done under HJT supervision
these logs are only intended FOR the HJT section; as you have now posted a Combofix log this thread will doubtless be moved by the Mods to that section |
|
|
|
|
May 5 2008, 07:27 PM
Post
#13
|
|
 Bleepin' Animin Group: Site Admin Posts: 4,793 Joined: 18-August 05 From: Now On... Member No.: 31,547 |
ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results. If needed, we will direct you to our HJT Preparation Guide. Thank you for using BleepingComputer as your malware removal source. This topic is now closed. The BC Staff -------------------- The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life. Andrew Brown  "On the keyboard of life, always keep one finger on the escape key." — Scott Adams. |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 5th July 2008 - 06:45 PM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.